Zero Trust

---

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Micro-segmentation and least-privilege access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.

Today’s organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.

• Productivity everywhere: Empower your users to work more securely anywhere and anytime, on any device.
• Cloud migration: Enable digital transformation with intelligent security for today’s complex environment.
• Risk mitigation: Close security gaps and minimize risk of lateral movement.

• Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
• Use least-privilege access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
• Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Zero Trust is the essential security strategy for today’s reality. In 2020, the global pandemic compelled nearly every organization to embrace a Zero Trust strategy as employees went remote, virtual private networks (VPNs) were breached or overwhelmed, and digital transformation became critical to organizational sustainability. The mandate emerged for a Zero Trust approach to verify and secure every identity, validate device health, enforce least privilege, and capture and analyze telemetry to better understand and secure the digital environment. Governments and businesses worldwide recognized this imperative and accelerated the adoption of a Zero Trust strategy. Through supporting thousands of deployments and observing the expanding threat landscape, we have revised and evolved the Zero Trust architecture and maturity model we released two years ago based on what we have learned. We want to share those learnings for organizations to implement today and tomorrow.

• Improve user experience and productivity with Zero Trust: Zero Trust enabled users to safely work from home, enroll new devices from anywhere, hold secure meetings, and achieve new levels of productivity. Successful Zero Trust deployments use all available telemetry to prioritize user experience and business enablement, and more effectively delegate responsibilities to the right level of the organization. These organizations further empower users and admins with automatic protection and security insights that allow them to execute with confidence and agility.  A Zero Trust approach empowers people to work productively and securely when, where, and how they want.

• Apply Zero Trust to your entire digital estate. Recent nation-state attacks demonstrate that attackers will exploit any vulnerability. In our observations, the organizations that fared best against such attacks had embraced Zero Trust strategies broadly. These organizations began with a full inventory and assessment of resources across on-premises and cloud environments, prioritizing protections based on their relative importance to the business. This was coupled with verifying and protecting all aspects of their digital estate, including all human and nonhuman identities, endpoint platforms, networks, microservices, virtual machines, and workloads. Implementing Zero Trust requires a comprehensive vision and plan, prioritizing milestones based on the most important assets first

• Integrate verification and controls across security pillars. Attackers exploit gaps exposed by siloed programs and processes. To prevent incursions, end-to-end visibility and control across the security estate is critical. Organizations with separate tools to monitor individual aspects like network, internet access, and internet triage will lack a complete view of their estate. Integrating controls and telemetry across security pillars enables organizations to apply unified policies and enforce them consistently, resulting in a more robust security posture. Unifying strategy and security policy with Zero Trust breaks down siloed information technology (IT) teams to enable better visibility and protection across the IT stack.

• Monitor your security posture with strong governance. Strong governance is directly linked to the performance of Zero Trust initiatives. Organizations with advanced strategies verify business security assertions by regularly validating technical security assertions like “is this device registered” or “is this data confidential?” The best Zero Trust strategies are founded on governance models that ensure the integrity of data to drive continuous assessment and improvement. Analyzing these productivity and security signals also helps evaluate security culture, identifying areas for improvement or best practices. Enforcing strong governance with a Zero Trust approach includes validating business assertions, assessing security posture, and understanding the impact of security culture.

• Automate to simplify and strengthen your security posture. Automation is critical to a robust and sustainable security program. The best Zero Trust deployments automate routine tasks like resource provisioning, access reviews, and attestation. These organizations use machine learning and AI in threat protection tactics like security automation and orchestration to defend themselves, enabling them to build back infrastructure quickly after an attack. Given the inundation of threat notifications and alerts hitting the security operations center (SOC) today, automation is critical to managing the digital environment at the speed and scale needed to keep up with today’s attacks. A Zero Trust approach prioritizes routine task automation, reducing manual efforts so security teams can focus on critical threats.